Oct 212011

This is part 2 of Securing the Cloud.

Here is an interesting idea I have had some success with.  You spin up a new cloud instance, get a new ip that has been reissued.  Immediately start sniffing the traffic while doing some research to identify who previously had been using that IP address.  What can you obtain?  Maybe an admin will try to log into the old server via ip address, so now you have a valid admin username and password.  If the ip was reissued prior to every isp’s dns cache updating, you will likely obtain hits to services still cached at those isp’s, such as ftp accounts via domain, ssh accounts accounts via domains, and for hosted servers….you can at least grab some of the domains hosted at that previous ip.

You would be surprised just the type of information you can grab…..something to think about.

Sep 122011

This is just a quick note on how to password protect wp-admin using nginx.

You may have to fiddle with the location of the lines in the site.conf file.

Where I thought the config variables needed to go, gave me a “download file” of type bin in nginx after authentication.

So, here is how I did it:

server {
   listen 80;
   server_name domain.com www.domain.com;
   access_log /logs/domain.com-access.log;
   error_log /logs/domain.com-error.log;
   root /var/www/sites/domain.com/htdocs;
location / {
try_files $uri $uri/ /index.php?q=$request_uri;
include /usr/nginx/conf/staticfiles.conf;
include /usr/nginx/conf/php.conf;
include /usr/nginx/conf/drop.conf;
        # password protect wp-admin
                location ~ ^/wp-admin {
                auth_basic “Restricted”;
                auth_basic_user_file /path/to/htpasswd/file;
                try_files $uri $uri/ /index.php?q=$request_uri;

Aug 242011

Thought I would share this quick fix ref CVE-2011-3192 with the POC available here:

First, if you are an apache admin, get this fixed ASAP. I was able to take down a small test server with 7 http get requests.

Login to the server and run this command to see if you have mod_headers installed:

locate mod_headers

If you see mod_headers.so in that list, you can continue to Configuring Apache.  Otherwise go to Compiling Mod_Headers

Continue reading »

Jul 222011

I am often on the go, and sometimes I only have a few hours to do something.  A scenario came up where I have a few hours of time and I wanted to do a quick pentest of a few sites during that time.  I had a long list of domains to audit, and during the previous two days I had started at the top of the list and worked my way down.  I had made it through about 13 domains, but had 150+ left to go.  So its during these brief periods where I could perform the bulk scan of a few domains that could help me stay on track to get this job completed on time.  Except, I didn’t have a way to really select 5 or 6 domains from the list without doing it manually.

I came up with an idea, what if I could randomly select a few hosts from the list, then keep track of the hosts I had audited this way….eventually I would get through the entire list.  The following script is what I came up with…

Continue reading »

Jul 102011

So like most people who do pentesting, I am always strapped for time and always have way too many things on my plate.  So, what I have done over the years is try to automate the things I do on a regular basis.  This allows me to repeat the results consistently.  It also allows me to run a consistent pentest weekly, monthly, or however often I need to schedule them to be done.

I will go ahead and tell you now, these tests are extremely noisy.  They generate a lot of traffic, and I don’t try to slide under any IDS’s or anything else.  Why?  Because I am authorized to conduct these penetration tests.

Continue reading »

May 102011

A lot of recent talks about “securing the cloud” but let me give you my take on it.

I am in the cloud, businesses are in the cloud, but which cloud?  Is any one cloud environment more secure than the other?  Let me give you a few things I have learned about the cloud….cause this might seem rather alarming to some or most.

Treat all cloud environments as a hostile environment.  Treat it like a wide open door to your business infrastructure, matter of fact, treat it like something blew 2 of the 4 outer parameter walls off of your business along with half of the roof coming down.  Rethink what you consider secure, how you secure services and applications, and treat it like you just handed everything to a blackhat hacker.

Almost every cloud environment I have used or tested offers a “private ip address” but is it really private?  If you dig around, you will find that it is not.  Matter of fact, it seems that others with those private ip addresses believe they have their own vlan switch of private ip address ranges segregated from everyone else….but fact is, you share your data on your private ip address range with many other clients on the same private ip address range.  Why?  Because you are all sharing a cut of the cpu, memory, network cards, etc of the same physical server.  Even though you might secure your forward facing applications, you would be surprised how many applications within the private ip addresses are not secured.  Why?  Because people automatically think of it in terms of “our local network or private lan”.  Why?  Because its in the same ip range as a private network.

See EXAMPLE 1 below

And because people treat it like a private lan network, they do the craziest things like “unpatched apache or other insecure software”, how about mysql root without a password on the private lan for ease of administration, or what about using the private lan to send critical confidential customer (or patient) records across to another failover server on the private lan….unencrypted.  You see where this is going??

See EXAMPLE 2 below

And then lets talk about pre-made cloud environments…..

Continue reading »

May 052011

So on my backtrack installation and also on my gentoo laptop with the same directory structure, I keep everything up to date that is in subversion or similar using a script.  Here is the script…..

By the way, I don’t have the identical toolset as backtrack.  I have added a lot of things, and I generally try to get the subversion versions of them if possible.  The easiest way to find what software or applications you have in the /pentest directory is to do a scan for .svn folder.  If it exists, you can add that application to this script.

Continue reading »